67 Reasons – Why You Need Deep CDR

Tuesday, October 15th wasn’t patch 2’s-day for Adobe, it was patch 67-day for Acrobat and Reader. The good news is that out of the 67 patched vulnerabilities, 23 of them were not critical – they were only important. There’s an important distinction between a critical vulnerability and an important vulnerability. A critical vulnerability would allow malicious code to execute, if exploited. An important vulnerability would compromise data security if exploited. Are you feeling safer now? Yeah, me neither.

So, what does this have to do with Deep CDR? Come to think of it, what is Deep CDR?

Deep CDR is one of the six key technologies that make up MetaDefender, CDR stands for content disarm and reconstruct. What this means is that files are dissected, anything that has the potential to be dangerous (except typos) is removed, and then the file is reassembled. “Has the potential to be dangerous” does not mean detection, it means that if the content could be active, it is removed. It doesn’t matter if the content pops up a dialog box that says, “Good morning, you are amazing!” or if the content plants a keystroke logger. If it can execute it is removed. Deep CDR enhances the security effectiveness of CDR by diving deep into nested layers of compression and embedded objects, such an Excel chart inside of a PowerPoint file which is inside of a Word document that was delivered to your inbox all zipped up nice and pretty


This is only a brief description of Deep CDR, but then you’re here for a blog, not CPE credits. So we’ll keep it brief.

Here is why Deep CDR matters. Vulnerabilities in Acrobat and Reader can allow a specially crafted PDF to run malicious code that anti-malware products will not detect. At least not initially. Between the beginning of 2017 and the end of 2018 there were 93 CVEs rated 9.3 or higher for Adobe Acrobat.

Deep CDR removes the malicious or suspicious content without detection of malicious or suspicious code. It’s kind of like the process of distillation. Water that may contain solids and bacteria is heated to the point that it is turned to steam. Only the vapor is allowed into the next chamber where it is returned to its liquid state, free of harmful and potentially harmful substances. We have a lot more information about Deep CDR, and many other technologies used by critical infrastructure at the OPSWAT Academy.

So why dig deeper into the files? According to the 2018 Verizon Data Breach Investigations Report (DBIR), many PDFs are simply vehicles for delivering macro-enabled Office documents that are embedded within the PDFs. According to the Symantec Internet Security Threat Report (February 2019), in 2019, 48% of malicious attachments are Office files. That’s up from 5% in 2017. Deep CDR recursively processes files and objects. For example, if a zip file contains a document which in turn contains pictures and a PowerPoint file, then Deep CDR will recurse through the zip file, the office document, and the PowerPoint file. Malicious and potentially harmful objects are removed and pictures and other multimedia filetypes are sanitized to remove any potential steganography and appended code. The PowerPoint file is then reconstructed. The word document is processed in the same manner, and then reconstructed with the safe PowerPoint file inside of it. Finally, the zip file is reconstructed and includes the document with the embedded PowerPoint file.

You have all heard of zero-day attacks. I call them zero minus X-day attacks where X equals the number of days between when the vulnerability could have been exploited and when it became publicly known. If any of the Reader and Acrobat vulnerabilities were already known to malicious actors 2 years ago but were only publicly known to exist two years later, then they are zero-minus-730-day vulnerabilities. Many of the vulnerabilities patched on October 15th were for Acrobat Reader 2017. In 2017 Deep CDR was already capable of neutralizing malicious PDFs that may have been used to exploit these vulnerabilities, even though they were not known to be in existence. Do you see why I say zero minus X-day vulnerabilities?

Deep CDR protects you from threats in supported filetypes that are known and unknown (the zero-minus X number of days that the vulnerability has existed threats)

Sign up for Blog updates
Get information and insight from the leaders in advanced threat prevention.